SharePoint Server 的伺服器對伺服器驗證及使用者設定檔Server-to-server authentication and user profiles in SharePoint Server

摘要:了解如何在 SharePoint Server 2013 和 SharePoint Server 2016 中規劃用於伺服器對伺服器驗證的使用者設定檔。Summary: Learn how to plan user profiles for server-to-server authentication in SharePoint Server 2013 and SharePoint Server 2016.

伺服器對伺服器驗證可讓具備伺服器對伺服器驗證功能的伺服器,代表使用者互相存取及要求資源。因此,執行 SharePoint Server 及服務傳入資源要求的服務必須能夠完成下列兩項工作:Server-to-server authentication allows for servers that are capable of server-to-server authentication to access and request resources from one another on behalf of users. Therefore, the server that runs SharePoint Server and that services the incoming resource request must be able to complete two tasks:

  • 將要求解析為特定 SharePoint 使用者Resolve the request to a specific SharePoint user

  • 決定與該使用者關聯的一組角色宣告,此程序稱為「解除凍結」使用者的身分識別Determine the set of role claims that are associated with the user, a process known as rehydrating the user's identity

若要解除凍結使用者的身分識別,可執行伺服器對伺服器驗證的伺服器會要求存取 SharePoint 資源。SharePoint Server 會採用傳入安全性權杖的宣告,然後將其解析為特定 SharePoint 使用者。依預設,SharePoint Server 會使用內建的 User Profile Service 應用程式來解析身分識別。To rehydrate a user's identity, a server that can perform server-to-server authentication requests access to SharePoint resources. SharePoint Server takes the claims from the incoming security token and resolves it to a specific SharePoint user. By default, SharePoint Server uses the built-in User Profile service application to resolve the identity.

找出對應使用者設定檔的關鍵使用者屬性如下:The key user attributes for locating the corresponding user profile are as follows:

  • Windows 安全性識別碼 (SID)The Windows Security Identifier (SID)

  • Active Directory 網域服務 (AD DS) 使用者主體名稱 (UPN)The Active Directory Domain Services (AD DS) user principal name (UPN)

  • 簡易郵件傳送通訊協定 (SMTP) 位址The Simple Mail Transfer Protocol (SMTP) address

  • 工作階段初始通訊協定 (SIP) 位址The Session Initiation Protocol (SIP) address

因此,這些使用者屬性的其中至少一個必須在使用者設定檔中是現值。Therefore, at least one of these user attributes must be current in user profiles.

注意

僅針對 SharePoint Server 2013,建議您定期從身分識別存放區同步到 User Profile Service 應用程式。如需詳細資訊,請參閱<規劃 SharePoint Server 2013 Preview 的設定檔同步處理>。For SharePoint Server 2013 only, we recommend a periodic synchronization from identity stores to the User Profile service application. For more information, see Plan profile synchronization for SharePoint Server 2013.

此外,根據這四個屬性所進行的指定查閱查詢,SharePoint Server 只預期 User Profile Service 應用程式中只有一個符合項目。否則,查詢會傳回找到多個使用者設定檔的錯誤狀態。因此,您應該定期刪除 User Profile Service 應用程式中過時的使用者設定檔,避免多個使用者設定檔共用這四個屬性。Furthermore, SharePoint Server expects only one matching entry in the User Profile service application for a given lookup query that is based on these four attributes. Otherwise, it returns an error condition that multiple user profiles were found. Therefore, you should delete obsolete user profiles in the User Profile service application periodically to avoid multiple user profiles that share these four attributes.

如果該使用者的使用者設定檔與相關的群組成員資格未同步處理,SharePoint Server 可能會錯誤地拒絕對指定資源的存取。因此,請確認群組成員資格與 User Profile Service 應用程式保持同步的狀態。對於 Windows 宣告,User Profile Service 應用程式會匯入先前描述的四個重要使用者屬性和群組成員資格。If a user profile and the relevant group memberships for the user are not synchronized, SharePoint Server may incorrectly deny access to a given resource. Therefore, make sure that group memberships are synchronized with the User Profile service application. For Windows claims, the User Profile service application imports the four key user attributes previously described and group memberships.

對於表單型宣告驗證和以安全性聲明標記語言 (SAML) 為基礎的宣告驗證,必須執行下列其中一項作業:For forms-based and Security Assertion Markup Language (SAML)-based claims authentication, you must do one of the following:

  • 對 User Profile Service 應用程式支援的資料來源建立同步處理連線,並將該連線關聯至特定的表單型或 SAML 驗證提供者。此外,必須將使用者存放區的屬性對應至先前說明的四個使用者屬性,或從資料來源取得越多越好。Create a synchronization connection to a data source that the User Profile service application supports and associate the connection with a specific forms-based or SAML authentication provider. Additionally, you have to map attributes from the user store to the four user attributes previously described, or as many of them as you can obtain from the data source.

  • 建立並部署自訂元件以手動執行同步處理。對於不使用 Windows 的使用者而言,這是最可能的選項。請注意,在解除凍結使用者的身分識別以取得其角色宣告時,會叫用表單型或 SAML 驗證提供者。Create and deploy a custom component to perform the synchronization manually. This is the most likely option for users who do not use Windows. Note that the forms-based or SAML authentication provider is invoked when the user's identity is rehydrated to get their role claims.

要求伺服器的使用者解除凍結User rehydration for requesting servers

如果要求伺服器執行 Exchange Server 2016 或 商務用 Skype Server 2015 (皆使用標準 Windows 驗證方法),則要求伺服器傳送的傳入安全性權杖會包含使用者的 UPN,並且可能包含其他屬性,例如 SMTP、SIP 和使用者身分識別的 SID。SharePoint Server (接收伺服器) 會使用此資訊找到使用者設定檔。If the requesting server is running Exchange Server 2016 or Skype for Business Server 2015, which use standard Windows authentication methods, the incoming security token sent by the requesting server contains the UPN of the user and may contain other attributes such as SMTP, SIP, and the SID of the user's identity. SharePoint Server, the receiving server, uses this information to locate the user profile.

針對執行 SharePoint Server 的要求伺服器,接收伺服器會透過下列以宣告為基礎的驗證方法來解除凍結使用者:For a requesting server that is running SharePoint Server, the receiving server rehydrates the user through the following claims-based authentication methods:

  • 針對 Windows 宣告驗證,SharePoint Server 會使用 AD DS 屬性來尋找使用者的使用者設定檔 (例如 UPN 或 SID 值) 及其角色宣告 (群組成員資格)。For Windows claims authentication, SharePoint Server uses AD DS attributes to find the user profile for the user (for example, the UPN or SID values) and their role claims (group membership).

  • 針對表單型驗證,SharePoint Server 會使用 Account 屬性來找到使用者設定檔,然後叫用角色提供者和其他所有自訂宣告提供者,以取得一組對應的角色宣告。例如,SharePoint Server 會使用 AD DS、資料庫 (例如 SQL Server 資料庫) 或輕量型目錄存取通訊協定 (LDAP) 資料存放區中的屬性,來尋找代表使用者的使用者設定檔 (例如 UPN 或 SID 值)。同步處理表單型提供者的元件至少必須在使用者設定檔中填入使用者的帳戶名稱。還可以建立自訂宣告提供者,將其他宣告做為屬性匯入使用者設定檔。For forms-based authentication, SharePoint Server uses the Account attribute to locate the user's profile and then invokes the role provider and all additional custom claims providers to obtain the corresponding set of role claims. For example, SharePoint Server uses attributes in AD DS, in a database such as a SQL Server database, or in an Lightweight Directory Access Protocol (LDAP) data store to find the user profile that represents the user (for example, the UPN or SID values). Your component to synchronize your forms-based provider should at a minimum populate user profiles with the user's account name. You can also create a custom claim provider to import additional claims as attributes into user profiles.

  • 針對以 SAML 為基礎的宣告驗證,SharePoint Server 會使用 AccountName 屬性來找到使用者設定檔,然後叫用 SAML 提供者和其他所有自訂宣告提供者,以取得一組對應的角色宣告。透過對應的 SAML 宣告提供者 (應設定為填入使用者設定檔),使用者身分識別宣告應該對應至使用者設定檔中的 Account 屬性。同樣地,UPN 宣告應該對應至 UPN 屬性,SMTP 宣告應該對應至 SMTP 屬性。若要複製使用者通常從身分識別提供者取得的一組宣告,則必須透過宣告增強來新增那些宣告,包括角色宣告。自訂宣告提供者必須將那些宣告做為屬性匯入使用者設定檔。For SAML-based claims authentication, SharePoint Server uses the AccountName attribute to locate the user's profile and then invokes the SAML provider and all additional custom claims providers to obtain the corresponding set of role claims. The user identity claim should be mapped to the Account attribute in user profiles through the corresponding SAML claims provider, which should be configured to populate your user profiles. Similarly, a UPN claim should be mapped to the UPN attribute and the SMTP claim should be mapped to the SMTP attribute. To duplicate the set of claims that the user would usually obtain from their identity provider, you must add those claims, including the role claims, through claims augmentation. A custom claim provider must import those claims as attributes into user profiles.

另請參閱See also

概念Concepts

在 SharePoint Server 中規劃伺服器對伺服器的驗證Plan for server-to-server authentication in SharePoint Server

SharePoint Server 的驗證概觀Authentication overview for SharePoint Server